summaryrefslogtreecommitdiff
path: root/conf.d/020_acl.conf
blob: dfd210b40c8afd4856752e5ae28032b79fd2c926 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################

begin acl


######################
# GENERAL CHECK ACLs #
######################

acl_check_rcpt_introduction:

  require  set acl_m_msg = HELO/EHLO command required.
           condition     = ${if def:sender_helo_name}

  accept


acl_check_rcpt_syntax:

  deny     set acl_m_msg = Invalid local part.
           local_parts   = ^[.] : ^.*[@%!/|]

  accept


# Checks the link between a given mail alias and a given user.
# $acl_arg1: alias to check
# $acl_arg2: user
acl_check_alias:

  # Accept if the alias belongs to the user.
  accept   condition     = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}

  deny


# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.
acl_check_rcpt_host_policy:

  # Accept all messages from trusted hosts and relays.
  # Also disable DKIM signature check as mailing list servers may alter messages.
  accept   hosts         = +trusted_relay_hosts
           control       = dkim_disable_verify

  # Deny messages from hosts known to be bad.
  deny     dnslists      = sbl-xbl.spamhaus.org : bl.spamcop.net
           set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text

  # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass).
  accept   set acl_m_spf = ${run{/usr/bin/spfquery.mail-spf-perl \
                             --ip ${quote:$sender_host_address} \
                             --identity ${if def:sender_address_domain \
                               {--scope mfrom --identity ${quote:$sender_address}} \
                               {--scope helo --identity ${quote:$sender_helo_name}}}}}
           condition     = ${if eq {$acl_m_spf}{0}{yes}{no}}

  # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail).
  deny     condition     = ${if eq {$acl_m_spf}{1}{yes}{no}}
           set acl_m_msg = [SPF] $sender_host_address is not allowed to send mail from \
                           ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
                           Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
                             {mfrom}{helo}};identity=${if def:sender_address_domain \
                             {$sender_address}{$sender_helo_name}};ip=$sender_host_address

  # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy.
  deny     dnslists      = pbl.spamhaus.org
           set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text

  # Accept otherwise
  accept


#########################
# MUA ACLs (submission) #
#########################

acl_mua_rcpt:

  require  message       = Encrypted session required for message submission.
           encrypted     = *

  require  message       = Courtesy protocol violation: $acl_m_msg
           acl           = acl_check_rcpt_introduction

  require  message       = Authentication required for message submission.
           authenticated = *
           control       = submission
           control       = dkim_disable_verify

  require  message       = Syntactic validation failed: $acl_m_msg
           acl           = acl_check_rcpt_syntax

  require  message       = Sender verification failed.
           verify        = sender

  accept


acl_mua_mail:

  require  message       = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
           acl           = acl_check_alias $sender_address $authenticated_id

  accept


acl_mua_data:

  require  message       = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
           acl           = acl_check_alias ${address:$h_from:} $authenticated_id

  accept


############
# MTA ACLs #
############

acl_mta_rcpt:

  require  message       = Courtesy protocol violation: $acl_m_msg
           acl           = acl_check_rcpt_introduction

  require  message       = $acl_m_msg
           acl           = acl_check_rcpt_host_policy

  require  message       = Syntactic validation failed: $acl_m_msg
           acl           = acl_check_rcpt_syntax

  require  message       = Sender verification failed.
           verify        = sender

  require  message       = Unhandled destination.
           domains       = +local_domains : +relay_to_domains

  require  message       = Recipient verification failed.
           verify        = recipient

  accept


acl_mta_data:

  deny     set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
           condition     = ${if > {$max_received_linelength}{998}}

  accept


# Checks the validity of each signatures in the message,
# and the presence of a required signature for the sender domain.
# Global var to enable mandatory signature check:
#   dkim_verify_signers = $sender_address_domain:$dkim_signers
acl_mta_dkim:

  deny     message       = [DKIM] invalid signature ($dkim_verify_reason).
           dkim_status   = fail

  deny     message       = [DKIM] required signature is missing.
           dkim_status   = none
           condition     = ${if match \
                             {${run{/usr/bin/dig +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \
                             {yes}{no}}

  accept